Hardening Windows 2000/XP
Abstract
This is a set of security settings which I believe significantly strengthen
the security of Windows 2000/XP.
Audience
This document is aimed at a user with the following (approximate) Windows
setup:
- Standalone Windows installation (not part of a domain)
- Does not need to communicate with Windows 9x, ME or NT servers located on
the same LAN
- Does not have any servers installed (especially IIS, SQLServer or
TerminalServices)
- Shares files and/or printers on the LAN
- One or more users have local accounts
Settings
The following list is sorted in order of importance:
- Apply all WindowsUpdate patches
You should strive to keep your system up-to-date
at least on a weekly basis. Of particular importance are the patches for Named
Pipes and Net
DDE since they have trivial exploits.
- Use NTFS instead of FAT or FAT32
NTFS provides permissions for files and directories, encrypted files,
compressed files and many other useful features. It is essential for
protecting your personal files from the files belonging to another user,
as well as for protecting system files from being tampered with or deleted.
- Use strong passwords
If someone compromises your local Administrator account (via another local
account or over the network), they have complete control over the machine.
Create and use a strong password or passphrase (Diceware).
Do not share this password or passphrase with anyone and do not write it
down.
- Login as member of a less privileged group
Rather than logging into the machine as Administrator (or a user who is a
member of the Administrators group), create a separate user which is a
member of the Power Users or Users group. If your account is compromised (by
a virus, for example), the extent of the damage you can do on the machine is
limited to your own files. For day-to-day use, the Power Users group allows
you to do about 80% of the same tasks as the Administrators group. If you
must run software that requires Administrator privileges, use the "runas"
command, or Shift + click on a shortcut and select "Run as..."
from the menu. This allows you to run more than 95% of the software you
would need.
- Setup Internet Explorer Security Zones
Display the "My Computer" security zone in the "Internet
Options" Control Panel applet by changing HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Flags
to "1".
Note that ActiveX controls are disabled in the Internet zone. Although this
might seem limiting, it is necessary due to the significant number of
ActiveX control vulnerabilities
discovered recently. It is unwise to have ActiveX controls enabled while
casually browsing the web! If you must use a site that requires ActiveX
controls (such as WindowsUpdate),
add it to Trusted sites security zone.
| # |
Description |
Internet |
Local intranet |
Trusted sites |
Restricted sites |
My Computer |
| 1 |
Download signed ActiveX controls |
Disabled |
Prompt |
Prompt |
Disabled |
Prompt |
| 2 |
Download unsigned ActiveX controls |
Disabled |
Disabled |
Disabled |
Disabled |
Disabled |
| 3 |
Initialize and script ActiveX controls not marked as safe |
Disabled |
Disabled |
Disabled |
Disabled |
Disabled |
| 4 |
Run ActiveX controls and plug-ins |
Disabled |
Prompt |
Enabled |
Disabled |
Enabled |
| 5 |
Script ActiveX controls marked as safe for scripting |
Disabled |
Prompt |
Enabled |
Disabled |
Enabled |
| 6 |
File Download |
Enabled |
Enabled |
Enabled |
Disabled |
Enabled |
| 7 |
Font download |
Prompt |
Prompt |
Prompt |
Disabled |
Prompt |
| 8 |
Java permissions |
High |
High |
High |
Disabled |
Medium |
| 9 |
Access data sources across domains |
Disabled |
Prompt |
Prompt |
Disabled |
Prompt |
| 10 |
Allow META REFRESH |
Enabled |
Enabled |
Enabled |
Disabled |
Enabled |
| 11 |
Display mixed content |
Prompt |
Prompt |
Prompt |
Prompt |
Prompt |
| 12 |
Don't prompt for client certificate selection when no certificates or
only one certificate exists |
Disabled |
Disabled |
Disabled |
Disabled |
Disabled |
| 13 |
Drag and drop or copy and paste of files |
Prompt |
Prompt |
Prompt |
Prompt |
Enabled |
| 14 |
Installation of desktop items |
Prompt |
Prompt |
Prompt |
Disabled |
Prompt |
| 15 |
Launching programs and files in an IFRAME |
Prompt |
Prompt |
Prompt |
Disabled |
Prompt |
| 16 |
Navigate sub-frames across different domains |
Prompt |
Prompt |
Prompt |
Disabled |
Enabled |
| 17 |
Software channel permissions |
High |
High |
High |
High |
High |
| 18 |
Submit non-encrypted form data |
Enabled |
Enabled |
Enabled |
Prompt |
Enabled |
| 19 |
Userdata persistence |
Disabled |
Disabled |
Disabled |
Disabled |
Disabled |
| 20 |
Active scripting |
Enabled |
Enabled |
Enabled |
Disabled |
Enabled |
| 21 |
Allow paste operations via script |
Prompt |
Prompt |
Prompt |
Disabled |
Prompt |
| 22 |
Scripting of Java applets |
Prompt |
Prompt |
Prompt |
Disabled |
Prompt |
| 23 |
Logon |
Prompt |
Prompt |
Prompt |
Prompt |
Automatic |
- Setup e-mail clients to use the Restricted sites security zone (if
applicable)
This setting makes Outlook Express (and Outlook?) rendered HTML e-mail without
executing embedded code (such ActiveX, JavaScript or Java.) This virtually
eliminates the threat from attacks via rogue HTML e-mail messages. In
Outlook Express, you can change this setting by going to Tools->Options->Security.
- Stop and set to manual the following services
- Automatic Updates (workaround: navigate to WindowsUpdate
manually on a weekly basis)
- Background Intelligent Transfer Service (used only by Automatic
Updates)
- Computer Browser (useless for an isolated machine)
- Distributed Link Tracking Client (useless for an isolated machine)
- IPSec Policy Agent (useless without an IPSec policy)
- Messenger (useless for an isolated machine)
- Remote registry service (useless for an isolated machine)
- Server (useless for an isolated machine)
- TCP/IP NetBIOS Helper Service (not necessary since NetBIOS is turned
off)
- Task Scheduler (useless without scheduled tasks)
- Workstation (useless for an isolated machine)
- Turn off the LM password hash storage
Windows passwords are stored locally using two forms of encryption: LM
(weak) and NTLM (secure.) Disable
the LM storage to avoid off-line attacks. Don't forget to change your
password(s) afterwards (first change them to some random string, like
"abc123", then change them back to their previous value) in order
to completely erase the LM hashes from the machine!
- Change Local Security Policy
Apply the following settings via the Local Security Policy
applet:
- Account Policies
->Password Policy
- Enforce password history = 3
- Minimum password length = 8
- Passwords must meet complexity requirements = Enabled
- Account Policies
->Account Lockout Policy
- Account lockout duration = 30
- Account lockout threshold = 3
- Reset account lockout after = 30
- Local Policies
->Audit Policy
- Set auditing to "Success, Failure" for everything except
"Audit process tracking"
- Local Policies
->Security Options
- No access without explicit anonymous permissions = No
access without explicit permissions
- Allow system to be shutdown without having to log on = Disabled
- Disable CONTROL + ALT + DELETE requirement for logon = Disabled
- Clear virtual memory pagefile when system shuts down = Enabled
- Do not display last user name in logon screen = Enabled
- LAN Manager Authentication Level = Send
NTLMv2 response only
- Turn off NetBIOS
NetBIOS is an antique protocol, with numerous security vulnerabilities. Turn
it off by displaying the Properties for your "Internet Protocol
(TCP/IP)" connection, then going to Advanced->WINS->Disable
NetBIOS over TCP/IP.
- Setup firewall to monitor UDP/TCP activity
If you've done everything described above (and you have File and Printer
Sharing for Microsoft Networks enabled), there are only two open ports on
your computer (which could theoretically be compromised): port 135 UDP/TCP (RPC/DCE Endpoint mapper)
and port 445 TCP (SMB/CIFS over TCP a.k.a. File and Printer Sharing). You
cannot disable the RPC/DCE service (since it would render the machine
unbootable!), but you can block any incoming and outgoing traffic to it
without any side effects. You can limit access to port 445 only to hosts
located on your LAN (in order to avoid external attacks while still allowing
file and printer sharing on the LAN.) I have been using Tiny
Personal Firewall 2.0 (freeware) with great success.
- Enable SysKey level 2 (optional)
Ignore this if you do not use EFS (Encrypted
File System).
If someone gains physical
access to your machine, they can boot it up in another operating system
(Linux), change your
passwords and login to the machine as you. This would negate all
security settings above, including the use of EFS (Encrypted File
System.) In order to safeguard your machine against physical attacks, run
"syskey" from the command prompt, and set it to use a
"Startup Password." This makes it so that you have to type a
password before the machine can boot into Windows, but provides immunity to
files encrypted via EFS.
As a last step after all this, install and run the Microsoft
Baseline Security Analyzer and take note of its results.
Home
Last modified: October 3, 2002
Copyright 2002 Razvan
Surdulescu
All Rights Reserved